authentication - How to keep API keys secret when using client side Javascript?

Question

Welcome To Ask or Share your Answers For Others

authentication - How to keep API keys secret when using client side Javascript?

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

authentication - How to keep API keys secret when using client side Javascript?

For example, check out this Facebook plugin.

In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this feature on a different site?

I figured a very naive implementation would be to check the domain the request comes from but things like this are easy to fake.

If I were to create something similar, how would I go about securing the authentication process?

I want as much of this work to be client side, though some form of server authentication will be required surely? Any links or advice would be greatly appreciated.

Update

Similar question about API keys that I found useful.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T18:43:49+0000

In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).

Categories

authentication - How to keep API keys secret when using client side Javascript?

authentication - How to keep API keys secret when using client side Javascript?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags